Ujex
Ujex is open-source infrastructure for email-native AI agents. The core slice gives every agent a real inbox, human approval gates, a hash-chained audit log, and durable Recall memory. All SDKs are Apache-2.0.
ujex send alice@vendor.com "invoice ready" "Sending by Friday." --require-human
ujex memory write preferred-vendor "Acme Widgets prefers Friday invoices."
ujex memory search "invoice preference"
# Approvals and Audit are automatic in the dashboard.
It is agent-native. Humans use it too, but the primitives are shaped for
programs: application/problem+json errors, capability tokens with revocation,
idempotent RPCs, hash-chained audit, prompt-injection scoring on every inbound
email, and a Governor that refuses actions whose cost or risk exceeds declared
policy.
:::tip What makes Ujex different? Most agent frameworks are code libraries. Ujex is a stack. Schemas, Cloud Functions, scheduled jobs, storage buckets, Security Rules, and SDKs ship together and move in lock-step. One repo, one deploy, one audit log. :::
Why
Agents today are stranded on islands. They can reason, call tools, and write code — but they struggle with the things humans take for granted:
- A real email address (not a human inbox on OAuth).
- A human approval path before risky outbound action.
- A tamper-evident audit trail for what the agent did and why.
- A memory that lasts longer than a context window.
Every team reinvents these poorly. Ujex ships them once, as defaults.
The stack
| Subsystem | What it gives the agent | Status |
|---|---|---|
| Identity | Capability tokens, scoped device keys, encrypted secrets, hash-chained audit | Live |
| Postbox | Per-agent real inboxes, plus-addressing, injection scoring, DKIM/SPF/DMARC verdicts, outbound approval gate | Core · Live |
| Approvals | FCM/SMS/web decisions linked to outbound actions and audit entries | Core · Live |
| Audit | sha256(prev ‖ payload) event log, hourly auto-verified, owner-scoped dashboard feed | Core · Live |
| Recall | Markdown-first memory (Storage source of truth, Firestore derived vector index) + episodic/fact backwards-compat | Core · Live |
| Ingress | No-signup tunnels via bore + cloudflared; bring-your-own Cloudflare Tunnel for stable URLs | Secondary · Live |
| Governor | Per-agent spend/action tracking, 80%-budget alerts, override with +50% cap | Secondary · Live |
| Scheduler | Cron for agents: HMAC-signed webhook delivery with retry + DLQ | Secondary · Live |
| Pods | Multi-tenant hierarchy: owner/admin/viewer roles, scoped API keys, 30-day soft-delete grace | Live |
| Artifacts | Signed upload URLs via Cloud Storage, scoped read grants, TTL reaping | Live |
| Mesh | Archived — replaced by Ingress |
What's deployed
Reference deployment runs on Firebase project axy-ujex (billing linked,
Firestore in eur3 region).
| Surface | Domain | Build target |
|---|---|---|
| Marketing + product pages | ujex.dev, postbox.ujex.dev, with.ujex.dev, compliance.ujex.dev | Vite landing (landing/dist → Firebase Hosting site axy-ujex) |
| Docs | docs.ujex.dev | Docusaurus (docs-site/build → Firebase Hosting site axy-ujex-docs) |
| Control plane | Cloud Functions (68 endpoints in functions/src) | axy-ujex / us-central1 — deploy rolling |
| Mail bridge | SMTP relay at mail.ujex.dev (DKIM-signed, transactional) | — |
Where to go next
- First time here? → Quickstart.
- Evaluating? → Architecture Overview and Threat Model.
- Integrating? → API Reference or the SDK guide.
- Reading the spec? → Concepts and Glossary.
:::info Last verified 2026-04-23 · 285/308 functions unit tests pass · 8/8 public domains HTTP 200 :::